Chainalysis: Pyongyang Stole $1.7B in Crypto, Mainly From DeFi Platforms
North Korea’s spree of state-sponsored cryptocurrency theft continued apace last year as Pyongyang hackers illicitly lifted about $1.7 billion worth of digital assets – close to half of the world’s cryptocurrency stolen in 2022, new analysis shows.
That $1.7 billion likely made up a sizable chunk of North Korea’s economy and funded its nuclear weapons program, says blockchain analysis firm Chainalysis. North Korea is the rare country whose state-sponsored hackers attack for their country’s financial gain. The hereditary totalitarian regime that has governed the country since 1948 has long funded criminal activity in a quest for hard currency, given its self-imposed autarchy and pariah status on the global stage.
Cybercriminals, including North Korean-linked hackers, use cryptocurrencies for the same reasons people use it for legitimate purposes: It is cross-border, liquid and instantaneous, Erin Plante, senior director of investigations at Chainalysis, tells Information Security Media Group. “This is particularly advantageous for countries that are cut off from the global economy,” she says.
North Korean hackers are “systematic and sophisticated” in hacking and laundering stolen funds and are backed by a nation that supports cryptocurrency-enabled crime on a massive scale, says Plante.
Decentralized finance presents a uniquely inviting target to hackers of all stripes, and Pyongyang has taken advantage of it. DeFi protocols are open source, allowing hackers to study them ad nauseam for exploits, Plante says. It is possible that protocols’ incentives to reach the market and grow quickly lead to lapses in security best practices, she adds. Of the $3.8 billion recorded as stolen by hackers in 2022, theft from DeFi platforms accounts for $3.1 billion of that total.
North Korean hackers use phishing lures, code exploits, malware and advanced social engineering to siphon funds into wallets they control, Plante says. They have a “calculated” laundering method and deploy obfuscation techniques such as mixing to create a disconnect between the cryptocurrency they deposit and withdraw. They also move stolen funds via chain hopping, which is the process of swapping between several different kinds of cryptocurrency in a single transaction.
As long as crypto assets held in DeFi services have value and are vulnerable, bad actors will try to steal them. The only way to stop them is for the industry to shore up security and train crypto companies to identify threats, such as social engineering, that are widely used by groups such as Lazarus, she said.
Off-Ramping Stolen Funds
Cryptomixers are a “cornerstone” of North Korean money laundering, Chainalysis says. “Funds from hacks carried out by North Korea-linked hackers move to mixers at a much higher rate than funds stolen by other individuals or groups.”
Cryptomixer Tornado Cash was a favored platform for laundering money in 2021 and most of 2022, although the United States put a stop to that by sanctioning the service in August, crippling its use. Although still operational, mixers are less effective when fewer people use them, as the service relies on volume to obfuscate the origin and destination of the funds on its platform (see: North Korea Avoids Tornado Cash After US Imposes Sanctions).
North Korea-linked hackers are unlikely to be dissuaded by the threat of U.S. sanctions. But the sanctions make it harder for threat actors to cash out their ill-gotten gains, Plante says.
Chainalysis says the criminals diversified their mixer usage in the fourth quarter of 2022. They appear to have zeroed in on Sinbad, a bitcoin mixer that began advertising its services two months after the federal government sanctioned Tornado Cash. Investigators at the analytics firm observed the first transactions by North Korean hackers on the platform in December.
Between December 2022 and January 2023, hackers laundered $24.2 million on the mixer, Chainalysis concludes. This includes the North Korea-linked Lazarus Group, which laundered “a portion” of the funds stolen in the $600 million Axie Infinity hack via Sinbad.
Hackers also increasingly use underground services that aren’t as well known as standard mixers, accessible only through private messaging apps or the Tor browser, and usually only advertised on darknet forums, Plante tells ISMG.
She also sees an uptick in services with brand names and custom infrastructure, with varying complexities. Some function simply as networks of private wallets, while others are more akin to an instant exchanger or mixer, she says. “What links them is their ability to move cryptocurrency to exchanges on behalf of cybercriminals, exchange them for either fiat currency or clean crypto, then send that back to the cybercriminals.”
Law enforcement, Plante says, must continue developing its ability to seize stolen cryptocurrency to the point that hacks are no longer worthwhile.
Federal agents last year seized funds North Korean hackers stole from Axie Infinity’s Ronin bridge hack by partnering with Web3 security companies and tracing the funds on the blockchain. The U.S. FBI also identified Lazarus as the guilty party behind the $100 million Harmony-run Horizon bridge hack.
Similar actions will almost certainly occur in 2023, Plante says.
“When every transaction is recorded in a public ledger, it means that law enforcement always has a trail to follow, even years after the fact, which is invaluable as investigative techniques improve over time.”